Car Hacking Goes Mobile at Black Hat

LAS VEGAS – The last time we checked in with Charlie Miller and Chris Valasek was at the Kaspersky Lab Security Analyst Summit where we discussed the means of protecting automobiles against a series of attacks they had been developing. Yesterday the duo presented new, broader research looking at different cars and launching different kinds of attacks at the Black Hat security conference in Las Vegas, Nevada.

First off, Miller, of Twitter, and Valasek, of IOActive, followed through on creating an antivirus-like intrusion detection system capable of blocking the very attacks they launch, which included disabling braking systems, making the car initiate auto-park and jerk to one side or the other while in motion and more.

Perhaps more interestingly, their attacks are evolving. A year ago, when they first started publishing this work, all the attacks were local. In other words, Miller and Valasek played around in the backseat with their computers plugged into a torn-apart Toyota Prius while terrified reporters tried in vain to drive a vehicle they could not control.

Now Miller and Valasek’s attacks are remote. No longer do they have to plug in and no longer are the pair limited to attacking the Toyota Prius they haphazardly ripped apart in the garages. The attacks leverage a vulnerability in a wireless communication protocols like Bluetooth and then use that access to pass messages along through the onboard computer systems and ultimately manipulated the car’s behavior.

“Lots more people know how to write a Web exploit than a TPMS exploit. A lot of people can write a malicious app, or pop a browser. If that’s on the same network as your brakes or steering, that’s bad.”

Part of their briefing was a discussion of the security postures different makes and models and we’ll have much more to report after the researchers release a 95-page paper examining automobiles from Audi, Honda, Infiniti, Jeep, Dodge and others.

Problematically, Miller explained that hacking a car, which may seem new and novel, doesn’t look all that different than a traditional network hack. You find a vulnerability and you exploit it. Patching a car, however, is not as simple as patching a Web browser.

Valasek explained that patching an automobile is expensive for manufacturers not only because creating the patch itself costs money but also because the manufacturer then has to contact their customers who in turn must take their vehicles to a dealer for a software update.

“It’s going to be really hard when an exploit comes out and everyone has a vulnerability that needs to be fixed,” said Valasek.

The list of potentially hackable features on newer model cars is a long one; some fun, others harrowing. Potentially exploitable features include self-parking, active lane control, pre-collision systems and adaptive cruise control, all of which require some level of communication between a sensor and the brakes, acceleration or steering, usually over Bluetooth or some other radio signal. Other – more criminally desirable features – include passive antitheft system, tire pressure monitoring system or remote keyless entry. However, these latter features, the researchers explained, offer a limited attack surface, either because they don’t exchange much data or because they require close proximity for communication.

Bluetooth capabilities, the radio data system and telematics systems that allow cellular or Wi-Fi capabilities, expand a car’s attack surface dramatically. With in-car applications and other Web connectivity features looming, the situation promises to get worse.

“Lots more people know how to write a Web exploit than a TPMS exploit,” Valasek said. “A lot of people can write a malicious app, or pop a browser. If that’s on the same network as your brakes or steering, that’s bad.”